-
Notifications
You must be signed in to change notification settings - Fork 0
/
index.html
468 lines (421 loc) · 19.7 KB
/
index.html
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="UTF-8">
<meta content="width=device-width" name="viewport">
<title>Threat Modeling for Decentralized Identity @ W3C</title>
<link rel="stylesheet" href="https://www.w3.org/Talks/Tools/Shower3-1/slides.css">
<script src="https://www.w3.org/Talks/Tools/Shower3-1/shower.js" type="text/javascript"></script>
<style>
.slide .icon-block {
display: block;
position: relative;
padding: 0 0 0 4em;
line-height: 1.5;
min-height: 3em
/* 2 lines */
}
.slide .icon-block>.icon {
position: absolute;
font-size: 1.8em;
text-align: center;
top: 0;
left: 0;
width: 1.5em;
height: 1.5em;
margin: 0;
object-fit: cover
}
.slide li.icon-block {
margin-left: 0;
list-style: none
}
.slide li.icon-block::before {
content: none
}
dd {
margin-left: 2em;
}
.text-right {
text-align: right;
}
#members {
border-collapse: collapse;
}
#members td,
#members th {
border: 1px solid;
}
#members td {
vertical-align: top;
}
.spaced {
margin-top: 3em;
}
.spaced>li {
margin-top: 1em;
}
/* one item on 2 columns */
.two-columns {
column-count: 2;
column-gap: 1.2 rem;
}
/* 2x1 grid */
.grid2 {
display: grid;
gap: 1.2rem;
grid-template-columns: 1fr 1fr;
place-items: center center;
}
/* 1+2 grid */
.grid12 {
display: grid;
gap: 1.2rem;
grid-template-columns: 1fr 2fr;
place-items: center center;
}
figure {
margin: 10px;
}
/* 3x1 grid */
.grid3 {
display: grid;
gap: 0rem;
grid-template-columns: 1fr 1fr 1fr;
}
.grid3 h4 {
text-align: center
}
.grid3 h4.green {
color: rgba(124, 181, 84);
}
.grid3 h4.blue {
color: rgba(65, 131, 215);
}
.grid3 div {
padding: 5px;
border-radius: 20px;
}
.grid3 div.green {
background: rgba(124, 181, 84, 0.2);
border: 1px solid rgba(124, 181, 84, 0.5);
}
.grid3 div.blue {
background: rgba(65, 131, 215, 0.2);
border: 1px solid rgba(65, 131, 215, 0.5);
padding: 20px;
}
/* 2x2 grid */
.grid4 {
display: grid;
gap: 1.2rem;
grid-template-columns: 1fr 1fr;
grid-template-rows: 20vh 20vh;
place-items: center center;
}
.grid2 *,
.grid4 * {
max-width: 100%;
}
.grid2 * {
max-height: 350px;
}
.grid4 * {
max-height: 175px;
}
figcaption {
text-align: center;
font-size: 0.8em;
color: blue;
}
.slide.cover address {
font-family: My Gill Sans;
}
.todo {
background-color: yellow;
}
.center {
text-align: center;
}
</style>
</head>
<body class="shower">
<div class="progress">
<!-- Remove this element if you don't want a progress bar -->
</div>
<section class="slide cover clear" id="start">
<h1>Threat Modeling for Decentralized Identities @ W3C</h1>
<p>September 6th, 2024</p>
<address style="font-size: medium">
Simone Onofri<br>
<span style="font-size: small;">W3C Security Lead</span><br>
WeChat: wxid_3hq0pclnrhr512<br>
Email: [email protected]<br>
</address>
</section>
<!-- Introduction -->
<section class="slide">
<h1>Who am I?</h1>
<ul class="spaced">
<li>W3C <a href="https://www.w3.org/mission/security/">Security</a> Lead <span lang="cn">安全标准领域负责人</span> since 2024
<ul>
<li>Staff Contact for Web Application Security, Web Authentication, Federated Identity Working Groups, and <i>proposed</i> Security Interest Group</li>
<li>Co-Chair of <em>Threat Modeling Community Group</em></li>
</ul>
</li>
<li>I was in W3C in 2006 for the Semantic Web Deployment Working Group</li>
<li>But in general, I am Security Geek since 2004 (and before) for Red Teaming, Blue Teaming, Security Research, etc...</li>
<li><em>I care about a secure Web</em></li>
</ul>
</section>
<section class="slide side right">
<h1>World Wide Web Consortium 万维网联盟</h1>
<img class=side src="https://www.w3.org/comm/assets/graphics/w3c-composition.png" alt="W3C composition">
<ul style="font-size: 80%;">
<li>Founded in 1994 by Tim Berners-Lee, who was Director until June 12, 2023 由 Tim Berners-Lee 于 1994 年创立,并担任董事至 2023 年 6 月 12 日</li>
<li>Over 500 technical Web standards<!-- https://www.w3.org/standards/stats/?startdate=1994-10-01&enddate=2024-08-29 -->,<br>480 in progress 约480份开发中的标准 <!-- https://w3c.github.io/spec-dashboard/report.html --></li>
<li>Consensus-driven process 由共识驱动的流程, <br>Royalty-Free patent policy 免版税专利政策</li>
<li>Over 350 Members 超过 350个成员单位</li>
</ul>
</section>
<!-- Decentralized Credentials Threat Model -->
<section class="slide">
<h1>What is Threat Modeling?</h1>
<ul>
<li>Threat Modeling is a <strong>family of structured, repeatable processes</strong> that allow us to make <strong>rational decisions</strong> to secure applications, software, and systems (Shostack, 2014).</li>
<li>During Threat Modeling, <strong>we can anticipate potential threats</strong>, such as vulnerabilities or absence of controls, and prioritize the mitigations (OWASP).</li>
<li>It is a form of risk assessment that <strong>models aspects of the attack and defense</strong> sides (NIST SP 800-53 Rev. 5, NIST SP 800-154).</li>
</ul>
</section>
<section class="slide">
<h2>Why Threat Modeling for Digital Credentials?</h2>
<ul>
<li>At W3C, we use Threat Modeling to analyze standards and write the <a href="https://www.w3.org/TR/security-privacy-questionnaire/">security and privacy considerations</a> sections.</li>
<li>When members proposed the standardization of the <a href="https://github.com/w3c/strategy/issues/450">Digital Credentials API</a>, members requested a <a href="https://github.com/w3c/strategy/issues/458">comprehensive threats analysis</a> because the API will mediate in the Browser high-assurance and government-issued credentials.</li>
<li>Therefore, we created the <a href="https://www.w3.org/groups/cg/tmcg/">Threat Modeling Community Group</a> open to all to discuss the various threats.</li>
<li>We started a generic 'meta' model, not only on the API, that can also be used as a starting point by any <abbr title="Standards Development Organizations">SDOs</abbr>, Governments, and Implementers.</li>
</ul>
</section>
<section class="slide">
<h1>How are we doing Threat Modeling?</h1>
<p>We are using the "<a href="https://github.com/adamshostack/4QuestionFrame">Four Questions Frame</a>":</p>
<ul>
<li><strong>What are we working on?</strong><br>(understanding scope, architecture, actors, data flows, etc...)</li>
<li><strong>What can go wrong?</strong><br>(understanding threats, threat actors, attacks, etc...)</li>
<li><strong>What are we going to do about it?</strong><br>(Identifying and prioritizing countermeasures, residual risk, etc...)</li>
<li><strong>Did we do a good job?</strong><br>(reiterating until we are happy with the result)</li>
</ul>
</section>
<section class="slide">
<h1>What are we working on?<br><strong>Architecture</strong></h1>
<p>We started from the <a href="https://www.w3.org/TR/vc-data-model-2.0/">Verifiable Credentials Data Model (VCDM)</a> to identify main Actors, Data Flows, and Data to protect.</p>
<figure class="center">
<img src="https://www.w3.org/TR/vc-data-model-2.0/diagrams/ecosystem.svg">
<figcaption>The actors and data flows of VCDM</figcaption>
</figure>
</section>
<section class="slide">
<h1>What are we working on?<br><strong>Actors and Data Flows</strong></h1>
<ul>
<li>We have an <strong>Issuer</strong>, which issues the <i>Verifiable Credential</i> to the <i>Holder</i> and manages the status (e.g., revocation).</li>
<li>We have a <strong>Holder</strong>, who stores the <i>Verifiable Credential</i> in a <i>Wallet</i>, and send the <i>Verifiable Presentation</i> to a <i>Verifier</i>.</li>
<li>We have a <strong>Verifier</strong>, who verifies the <i>Holder</i>'s <i>Verifiable Presentations</i> to give access to a resource or a service.</li>
<li>We also have a <strong>Verifiable Data Registry (VDR)</strong>, which stores <i>identifiers</i> and schemas.</li>
</ul>
</section>
<section class="slide">
<h1>What are we working on?<br><strong>Exchanged Data</strong></h1>
<ul style="font-size: 80%">
<li><strong>Verifiable Credentials</strong> (created by the Issuer):
<ul>
<li>Metadata: of the Credentials (e.g., reference to the issuer, the validity date)</li>
<li>Claim(s): one or more assertions where a characteristic of a subject is described, in a specific <em>format</em> (e.g., Alice is a citizen of a certain state).</li>
<li>Proof(s): <em>cryptographic</em> proof of the integrity of the credential, typically via a digital signature.</li>
</ul>
</li>
<li><strong>Verifiable Presentations</strong> (created by the Holder):
<ul>
<li>Metadata: of the Presentation</li>
<li>Verifiable Credential(s): data from multiple Verifiable Credentials in the form of additional claims.</li>
<li>Proof(s): <em>cryptographic</em> proof of the integrity of the credential, typically via a digital signature.</li>
</ul>
</li>
</ul>
<p class="note">From a Threat Modeling perspective: we have cryptography, formats, serialization, <a href="https://www.w3.org/TR/rdf-canon/">canonicalization</a>, identifiers, revocation methods, etc...</p>
</section>
<section class="slide">
<h1>What are we working on?<br><strong>Identifiers</strong></h1>
<ul>
<li>Talking about <strong>identifiers</strong>, we mainly refer to the Decentralized Identifiers (DIDs), an identifier technology based on cryptography that empowers the user to control their data and and usage.</li>
<li>DIDs methods can rely on various technologies, including blockchains, the web, InterPlanetary File System (IPFS), and Domain Name System (DNS).</li>
</ul>
<p class="note">From a Threat Modeling perspective: <em>each DID method needs it is own Threat Model</em> (e.g., <code>did:web</code> may calls home, <code>did:btcr</code> may have correlation)</p>
</section>
<section class="slide">
<h1>What can go wrong?<br><strong>Mnemonic Threat Lists</strong></h1>
<q>One effective though inefficient approach to threat modeling is to cycle the various lists to understand how they may affect the model</q>
<ul>
<li><strong>STRIDE</strong> <i>(Security Threats)</i>: Spoofing, Tampering, <em>Repudiation</em>, Denial of service, Escalation of privileges</li>
<li><strong>LINDDUN</strong> <i>(Privacy Threats)</i>: Linking, Identifying, <em>Non-Repudiation</em>, Detecting, Data Disclosure, Unawareness, Non-Compliance</li>
</ul>
<p class="note">Note: <strong>Repudiation</strong> is a Security Threat, and its negation <strong>Non-Repudiation</strong>, is a Privacy Threat.</p>
</section>
<section class="slide">
<h1>What can go wrong?<br><strong>Other lists</strong></h1>
<ul>
<li><strong>Open Source Security Testing Methodology Manual (OSSTMM)</strong> <i>(Controls)</i>: Authentication, Indemnification, Resilience, Subjugation, Continuity, <em>Non-Repudiation</em>, Confidentiality, <em>Privacy</em>, Integrity, Alarm</li>
<li><strong>RFC 3552</strong> <i>(Security Attacks)</i>: Replay Attacks, Message Insertion, Message Deletion, Message Modification, Man-In-The-Middle</li>
<li><strong>RFC 6973</strong> <i>(Privacy Threats)</i>: Correlation, Identification, Secondary Use, Disclosure, Exclusion</li>
</ul>
<p class="note">Note: In OSSTMM, <em>Security and Privacy are together</em>, and anyway there are some overlaps.</p>
</section>
<section class="slide">
<h1>What can go wrong?<br><strong>Using LINDDUN</strong></h1>
<figure>
<img src="assets/threat-model-digital-credentials-ietf120.svg"/>
<figcaption>Brainstorming, using gamification, in a Side Meeting @ IETF120</figcaption>
</figure>
</section>
<section class="slide">
<h1>What are we going to do about it?<br><strong>Mitigations</strong></h1>
<ul style="font-size: 80%;">
<li><strong>Anonymous Revocation</strong>: a verifier must be able to verify the status of a credential, without having the ability to correlate information about the credentials and the holder.</li>
<li><strong>Privacy-Preserving DID methods</strong>: For example, during resolution, it is possible that the method communicates with the issuer. If the DID uses a distributed ledger, it would be better not to write private information into it.</li>
<li><strong>Selective Disclosure and Unlinkable Credentials</strong>: is the ability to show only a part of the credential and not the full one, in an unlinkable manner. For example, we can show only the date of birth rather than the full passport where it is contained, we are working on <a href="https://www.w3.org/TR/vc-di-bbs/">BBS cryptosuites</a>.</li>
<li><strong>Post-Quantum Cryprography</strong>: <a href="https://w3c-ccg.github.io/di-quantum-safe/">Quantum-safe cryptosuites</a> for signatures.</li>
</ul>
<p class="note"><a href="https://github.com/eu-digital-identity-wallet/eudi-doc-architecture-and-reference-framework/issues/200">Feedback</a> on the EU Digital Identity's ARF 1.4.0: <q>Our specific recommendation is to use the BBS</q> [...], and <q>countering future quantum threats</q>, and we probably need new chips.</p>
</section>
<section class="slide">
<h2>Did we do a good job?</h2>
<p><q>All models are wrong, but some are useful</q> from statistician George Box (1976), quoted by Shostack (2014)</p>
<ul>
<li>This Model is useful for us to understand the big picture, create a place to sharing ideas, and understanding the need for other standards.</li>
<li>Each solution needs a dedicated Threat Model (e.g., <a href="https://drive.google.com/drive/folders/1mgwhZ0jTAeGIE8Ewf3kK34dLjPwOTM5L">EUDI Communication Protocol and Wallet</a>) and to be <em>interoperable</em>.</li>
<li>Welcome to join the Threat Model discussions in the <a href="https://www.w3.org/community/tmcg/">Threat Modeling Community Group</a>.</li>
</ul>
</section>
<!-- Outro -->
<section class="slide">
<h1><span lang="cn">谢谢</span></h1>
<p>See also:</p>
<ul>
<li>
<q>Identity & the Web</q>
<a href="https://www.w3.org/reports/identity-web-impact/">https://www.w3.org/reports/identity-web-impact/</a>
</li>
<li>
<q>Threat Model for Digital Credentials</q>
<a href="https://github.com/w3c-cg/threat-modeling/blob/main/models/decentralized-identities.md/">https://github.com/w3c-cg/threat-modeling/blob/main/models/decentralized-identities.md</a>
</li>
</ul>
<div>
<p>
These slides:
<br>
<a href="https://w3.org/2024/Talks/inclusion-simone/">https://w3.org/2024/Talks/inclusion-simone/</a>
</p>
<p>Email: [email protected]</p>
<p>WeChat: wxid_3hq0pclnrhr512</p>
</div>
</section>
<!-- Backup -->
<!--
<section class="slide side right" id="how">
<h2>Security @ W3C</h2>
<ul style="font-size: smaller">
<li><strong>Developing security technology standards</strong>
<ul>
<li>Web Application Security Working Group (e.g., Content-Security-Policy)</li>
<li>Web Authentication Working Group (e.g., Passkeys in the Browser)</li>
<li>Federated Identity Working Group (e.g., Digital Credentials API <sup>proposed</sup>)</li>
<li>Web Payments Working Group (e.g., Secure Payments Confirmation)</li>
</ul>
</li>
<li><strong>Reviewing the security of the standards</strong>
<ul>
<li><em>Threat Modeling Community Group</em></li>
<li>Security Interest Group <sup>proposed</sup></li>
</ul>
</li>
<li><strong>Guiding Web Developers</strong>
<ul>
<li>Security Web Application Guidelines Community Group</li>
</ul>
</li>
</ul>
<p class="note">More info: <a href="https://www.w3.org/mission/security/">https://www.w3.org/mission/security/</a></p>
</section>
-->
<!--
<section class="slide">
<h2>Identity @ W3C</h2>
<ul>
<li>Centralized Identity: Web Authentication for Passwordless logins</li>
<li>Federated Identity: Federated Credentials Management and Status API to avoid third-party cookies</li>
<li>Decentralized Identity:
<ul>
<li>Digital Credentials API for mediation of presentation <sup>proposed</sup></li>
<li>Verifiable Credentials and Decentralized Identifiers (DID) with BBS</li>
<li>Verifiable Credentials API, Verifiable Credentials Barcodes, Quantum-Proof signatures <sup>community</sup></li>
</ul>
</section>
-->
<!--
<section class="slide">
<h2>Which model is better?</h2>
<div class="columns">
<div class="next">
<figure>
<img src="assets/falcon-lego.png"/>
<figcaption>LEGO's Millenium Falcon</figcaption>
</figure>
</div>
<div class="next">
<figure>
<img src="assets/falcon-park.png"/>
<figcaption>Walt Disney World's Millenium Falcon</figcaption>
</figure>
</div>
</section>
<section class="slide">
<h2>Which model is better?</h2>
<q class="shout">All models are wrong, but some are useful</q>
<p>from statistician George Box (1976), quoted by Shostack (2014) in the context of threat modeling</p>
</section>
-->
<!--
<section class="slide">
<h2>What are we working on?<br>Decentralized Identities Ecosystem</h2>
<figure class="center">
<img width="60%" src="https://www.w3.org/reports/identity-web-impact/figures/decentralized-identity-layers.svg">
<figcaption>Decentralized Identity Ecosystem</figcaption>
</figure>
</section>
<section class="slide">
<h1>What are we working on?<br><strong>Credential Layer</strong></h1>
<figure class="center">
<img src="assets/credential-layer.svg">
<figcaption>Credential Layer</figcaption>
</figure>
</section>
-->
<!--
<section class="slide">
<h1>What are we working on?<br><strong>Decentralized Identifiers</strong></h1>
<p style="font-size: 80%;">
An identifier technology based on cryptography that empowers us to control our
data and consent to its usage, often paired with Verifiable Credentials.
These methods can rely on various technologies, including blockchains, the web, InterPlanetary File
System (IPFS), and Domain Name System (DNS) [did-spec-registries]. 基于密码学的标识符技术,促使我们掌管我们的个人数据并授权同意其使用;通常与 VC
可验证凭据配对。这些方法可以依靠各种技术,包括区块链,Web,行星际文件系统(IPFS)和域名系统(DNS)[DID Spec-Spec-Registries]。<br>
<a href="https://www.w3.org/TR/did-core/">Decentralized Identifiers (DIDs) v1.0</a>, W3C Standard, July 2022.
</p>
<div style="margin: auto; max-width:90%">
<img src="https://w3.org/2023/Talks/plh-jp-mic/did.svg"
alt="An example of a decentralized identifier shown left to right the 'did' scheme, followed by a colon, followed by an 'example' DID Method identifier, followed by another colon, followed by a method specific identifier with the characters '123456789abcdefghi' is shown." />
</div>
</section>
-->
</body>
</html>